PTC THERAPEUTICS, INC. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

PTC THERAPEUTICS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:36:19 EST.

Filings

10-K filed on 2026-02-19

PTC THERAPEUTICS, INC. filed a 10-K at 2026-02-19 16:36:19 EST
Accession Number: 0001104659-26-017575

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy As is the case for most companies, we are regularly subject to cyber-attacks and other cyber incidents, therefore, cybersecurity is an important element of our overall enterprise risk management program. As part of our ordinary course of business, we collect, store and transmit large amounts of confidential information, including personal information, operational and financial transactions and records, clinical trial data and information relating to intellectual property, on internal information systems and through the information systems of collaborators and third-party vendors with whom we contract. We have a multilayered approach for assessing, identifying and managing cybersecurity risks, that is designed to help protect such information from internal and external cyber threats by understanding and seeking to mitigate risk while ensuring business resiliency. Our cybersecurity program aligns with the industry standard National Institute of Standards and Technology Cybersecurity Framework. Our program is comprehensive and provides for the identification, prevention, and mitigation of cybersecurity threats and risks. We have monthly and annual cybersecurity training, a compliance program on cybersecurity for employees and contractors, an annual external audit, independent penetration tests, ongoing vulnerability scans and remediations. As part of our overall risk management strategy, we also maintain cyber insurance coverage, however, such insurance may not be sufficient in type or amount to cover us against all claims related to security breaches, cyber-attacks and other related breaches. In relation to third party risk management, we conduct security assessments of third-party providers and software before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This process involves third-party providers responding to cybersecurity and information technology questionnaires and attending review meetings to assess the third-party providers security posture to confirm that the provider is ensuring the security, integrity, and availability of processed data. We also utilize a Managed Detection and Response vendor to support our cybersecurity program and monitor our network internally and externally for threat identification and mitigation. In addition, we have established a global incident response management, or GIRM, process. Our GIRM Standard Operating Procedure provides step-by-step instructions for managing any global incident which is disruptive of or interferes with the delivery and operation of our IT services and systems that are in use. The GIRM process involves IT groups, the Cybersecurity team, IT Leadership, and the Executive Leadership where appropriate. As regulatory disclosure requirements regarding cybersecurity incidents and data privacy matters have become more prevalent, we have developed an incident workflow designed to monitor and evaluate if such disclosure requirements are triggered by an incident through the inclusion of members of our legal, data privacy and executive teams in the incident response process. We regularly engage third parties, including independent privacy assessors, computer security firms and risk management and governance experts to enhance our cybersecurity oversight and consult with these third parties on emerging industry trends. Based on an assessment using the previously described enterprise risk management program, we do not believe that there are currently any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have material affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial conditions. See " Our business and operations would suffer in the event of computer system failures, cyber-attacks or a deficiency in our, or our collaborators' or third-party vendors', cyber-security " in Part I, Item 1A. "Risk Factors" for additional information. Cybersecurity Governance and Oversight Our Board of Directors administers its cybersecurity risk oversight function primarily through the Audit Committee of the Board of Directors. In accordance with our Audit Committee Charter, our Chief Information Officer, or CIO, provides periodic updates to our Audit Committee regarding the Company's cybersecurity and other technology risks, internal controls and procedures, including the Company's plan to mitigate cybersecurity risk and respond to data breaches. The Audit Committee is also responsible for reviewing any related periodic public filing disclosures. The Board of Directors receives regular reports from the Audit Committee. Our CIO also presents directly to our Board of Directors on an annual basis on these matters. Our CIO oversees a cybersecurity and IT team that is responsible for maintaining daily operations and ensuring the confidentiality, integrity, and availability of data. The cybersecurity team has over 15 years' experience in cybersecurity along with advanced and undergraduate degrees in cybersecurity, and industry recognized security certifications such as CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). Our CIO reports directly to our Chief Legal Officer, both of whom are members of our executive committee leadership team. Cybersecurity incident status updates are provided as necessary to the executive committee as set forth in our GIRM. In an effort to deter and detect cyber threats, we periodically provide all employees, including part-time and temporary employees, with data protection, cybersecurity and incident response and prevention training as part of our overall IT compliance program, which covers timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, asset use and mobile security. This training functions to educate employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs. For more information regarding the risks associated our cybersecurity program, see Item 1A. Risk Factors, " Our business and operations would suffer in the event of computer system failures, cyber-attacks or a deficiency in our, or our collaborators' or third-party vendors', cyber-security. "

Company Information